Michael Sinatra discovered that the DNS resolver component in BINDdoes not properly check DNS records contained in additional sectionsof DNS responses, leading to a cache poisoning vulnerability. Thisvulnerability is only present in resolvers which have been configuredwith DNSSEC trust anchors, which is still rare.

Note that this update contains an internal ABI change, which meansthat all BIND-related packages (bind9, dnsutils and the librarypackages) must be updated at the same time (preferably using "apt-getupdate" and "apt-get upgrade"). In the unlikely event that you havecompiled your own software against libdns, you must recompile thisprograms, too.

For the old stable distribution (etch), this problem has been fixed inversion 9.3.4-2etch6.

For the stable distribution (lenny), this problem has been fixed inversion 9.5.1.dfsg.P3-1+lenny1.

For the unstable distribution (sid) and the testing distribution(squeeze), this problem has been fixed in version 9.6.1.dfsg.P2-1.

We recommend that you upgrade your bind9 packages.

Upgrade instructions- --------------------

wget url will fetch the file for youdpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line forsources.list as given below: